{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,6]],"date-time":"2026-04-06T10:20:42Z","timestamp":1775470842593,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":52,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T00:00:00Z","timestamp":1701302400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"ERC","award":["850868"],"award-info":[{"award-number":["850868"]}]},{"name":"AFRL","award":["FA8655-20-1-7048"],"award-info":[{"award-number":["FA8655-20-1-7048"]}]},{"name":"SNSF","award":["PCEGP2_186974"],"award-info":[{"award-number":["PCEGP2_186974"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3611643.3616313","type":"proceedings-article","created":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T23:14:38Z","timestamp":1701386078000},"page":"1586-1597","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Crystallizer: A Hybrid Path Analysis Framework to Aid in Uncovering Deserialization Vulnerabilities"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1868-4204","authenticated-orcid":false,"given":"Prashast","family":"Srivastava","sequence":"first","affiliation":[{"name":"Purdue University, West Lafayette, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7114-5640","authenticated-orcid":false,"given":"Flavio","family":"Toffalini","sequence":"additional","affiliation":[{"name":"EPFL, Lausanne, Switzerland"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2443-4949","authenticated-orcid":false,"given":"Kostyantyn","family":"Vorobyov","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9470-5081","authenticated-orcid":false,"given":"Fran\u00e7ois","family":"Gauthier","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2862-5286","authenticated-orcid":false,"given":"Antonio","family":"Bianchi","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5054-7547","authenticated-orcid":false,"given":"Mathias","family":"Payer","sequence":"additional","affiliation":[{"name":"EPFL, Lausanne, Switzerland"}]}],"member":"320","published-online":{"date-parts":[[2023,11,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"Apache. 2022. Apache Commons Collections Library. https:\/\/commons.apache.org\/index.html"},{"key":"e_1_3_2_2_2_1","unstructured":"Apache. 2022. Denylist for Java-based deserialization. https:\/\/github.com\/apache\/kafka\/blob\/trunk\/connect\/runtime\/src\/main\/java\/org\/apache\/kafka\/connect\/util\/SafeObjectInputStream.java"},{"key":"e_1_3_2_2_3_1","unstructured":"Apache. 2022. Java deserialization in Apache Pulsar. https:\/\/pulsar.apache.org\/docs\/v2.0.1-incubating\/functions\/api\/#java-serde"},{"key":"e_1_3_2_2_4_1","unstructured":"Apache. 2022. Kafka\u2014Distributed event streaming platform. https:\/\/github.com\/apache\/kafka"},{"key":"e_1_3_2_2_5_1","unstructured":"Apache. 2022. Lack of serialization filtering in Apache Pulsar. https:\/\/github.com\/apache\/pulsar\/blob\/master\/pulsar-functions\/api-java\/src\/main\/java\/org\/apache\/pulsar\/functions\/api\/utils\/JavaSerDe.java"},{"key":"e_1_3_2_2_6_1","unstructured":"Apache. 2022. Pulsar\u2014Distributed pub-sub messaging platform. https:\/\/github.com\/apache\/pulsar"},{"key":"e_1_3_2_2_7_1","unstructured":"AWS. 2022. What is Kafka? https:\/\/aws.amazon.com\/msk\/what-is-kafka"},{"key":"e_1_3_2_2_8_1","unstructured":"Baldeung. 2022. transient keyword in Java. https:\/\/www.baeldung.com\/java-transient-keyword"},{"key":"e_1_3_2_2_9_1","unstructured":"Alexander Belokrylov. 2022. Java\u2014popular enterprise coding language. https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2022\/04\/06\/why-and-how-java-continues-to-be-one-of-the-most-popular-enterprise-coding-languages"},{"key":"e_1_3_2_2_10_1","volume-title":"2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society.","author":"Cao S.","unstructured":"S. Cao, B. He, X. Sun, Y. Ouyang, C. Zhang, X. Wu, T. Su, L. Bo, B. Li, C. Ma, J. Li, and T. Wei. 2023. ODDFuzz: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society."},{"key":"e_1_3_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00044"},{"key":"e_1_3_2_2_12_1","unstructured":"CodeIntelligenceTesting. 2022. Jazzer \u2014 AutoFuzz mode. https:\/\/www.code-intelligence.com\/blog\/autofuzz"},{"key":"e_1_3_2_2_13_1","unstructured":"Apache Commons Collections. 2023. Apache Commons Collections security report. https:\/\/commons.apache.org\/proper\/commons-collections\/security-reports.html"},{"key":"e_1_3_2_2_14_1","unstructured":"Confluent. 2022. Kafka connectors serialization. https:\/\/www.confluent.io\/blog\/kafka-connect-deep-dive-converters-serialization-explained\/"},{"key":"e_1_3_2_2_15_1","volume-title":"Research in Attacks","author":"Cristalli Stefano","unstructured":"Stefano Cristalli, Edoardo Vignati, Danilo Bruschi, and Andrea Lanzi. 2018. Trusted Execution Path for Protecting Java Applications Against Deserialization of Untrusted Data. In Research in Attacks, Intrusions, and Defenses, Michael Bailey, Thorsten Holz, Manolis Stamatogiannakis, and Sotiris Ioannidis (Eds.). Springer International Publishing, Cham. 445\u2013464. isbn:978-3-030-00470-5"},{"key":"e_1_3_2_2_16_1","unstructured":"CyNation. 2017. Equifax Data Breach. https:\/\/cynation.com\/the-equifax-data-breach\/"},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660363"},{"key":"e_1_3_2_2_18_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-49538-X_5"},{"key":"e_1_3_2_2_19_1","volume-title":"31st European Conference on Object-Oriented Programming (ECOOP","author":"Dietrich Jens","year":"2017","unstructured":"Jens Dietrich, Kamil Jezek, Shawn Rasheed, Amjed Tahir, and Alex Potanin. 2017. Evil pickles: DoS attacks based on object-graph engineering. In 31st European Conference on Object-Oriented Programming (ECOOP 2017)."},{"key":"e_1_3_2_2_20_1","unstructured":"Frohoff. 2018. Beanutils GT chain. https:\/\/github.com\/frohoff\/ysoserial\/blob\/master\/src\/main\/java\/ysoserial\/payloads\/CommonsBeanutils1.java"},{"key":"e_1_3_2_2_21_1","unstructured":"Frohoff. 2018. Groovy GT chain. https:\/\/github.com\/frohoff\/ysoserial\/blob\/master\/src\/main\/java\/ysoserial\/payloads\/Groovy1.java"},{"key":"e_1_3_2_2_22_1","unstructured":"Chris Frohoff. 2022. ysoerial : A collection of known gadget chains found in java-based software. https:\/\/github.com\/frohoff\/ysoserial"},{"key":"e_1_3_2_2_23_1","unstructured":"Andrew Gainer-Dewar. 2022. Djikstra-like path enumeration algorithm for directed graphs. https:\/\/jgrapht.org\/javadoc\/org.jgrapht.core\/org\/jgrapht\/alg\/shortestpath\/AllDirectedPaths.html"},{"key":"e_1_3_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427257"},{"key":"e_1_3_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510455.3512786"},{"key":"e_1_3_2_2_26_1","volume-title":"Gadget Inspector: Static discovery of gadget chains. https:\/\/github.com\/JackOfMostTrades\/gadgetinspector","author":"Haken Ian","year":"2021","unstructured":"Ian Haken. 2021. Gadget Inspector: Static discovery of gadget chains. https:\/\/github.com\/JackOfMostTrades\/gadgetinspector"},{"key":"e_1_3_2_2_27_1","unstructured":"Jang. 2021. AspectJWeaver GT chain. https:\/\/github.com\/frohoff\/ysoserial\/blob\/master\/src\/main\/java\/ysoserial\/payloads\/AspectJWeaver.java"},{"key":"e_1_3_2_2_28_1","unstructured":"JFrog. 2022. Log4Shell vulnerability mounted using java deserialization. https:\/\/jfrog.com\/blog\/log4shell-0-day-vulnerability-all-you-need-to-know\/#appendix-b"},{"key":"e_1_3_2_2_29_1","volume-title":"Khedker","author":"Kanvar Vini","year":"2016","unstructured":"Vini Kanvar and Uday P. Khedker. 2016. Heap Abstractions for Static Analysis. ACM Comput. Surv.."},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368640.3368680"},{"key":"e_1_3_2_2_31_1","unstructured":"Kullrich. 2018. Vaadin GT chain. https:\/\/github.com\/frohoff\/ysoserial\/blob\/master\/src\/main\/java\/ysoserial\/payloads\/Vaadin1.java"},{"key":"e_1_3_2_2_32_1","unstructured":"Kaiser Mathias and Jasinner. 2019. Apache Commons Collections GT chain. https:\/\/github.com\/frohoff\/ysoserial\/blob\/master\/src\/main\/java\/ysoserial\/payloads\/CommonsCollections5.java"},{"key":"e_1_3_2_2_33_1","unstructured":"Kaiser Mathias and Jasinner. 2019. Apache Commons Collections GT chain. https:\/\/github.com\/frohoff\/ysoserial\/blob\/master\/src\/main\/java\/ysoserial\/payloads\/CommonsCollections2.java"},{"key":"e_1_3_2_2_34_1","unstructured":"Alvaro Munoz and Schneider. 2018. Beanshell GT chain. https:\/\/github.com\/frohoff\/ysoserial\/blob\/master\/src\/main\/java\/ysoserial\/payloads\/BeanShell1.java"},{"key":"e_1_3_2_2_35_1","volume-title":"Serial Killer: Silently Pwning Your Java Endpoints. https:\/\/paper.bobylive.com\/Security\/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf","author":"Munoz Alvaro","year":"2016","unstructured":"Alvaro Munoz and Christian Schneider. 2016. Serial Killer: Silently Pwning Your Java Endpoints. https:\/\/paper.bobylive.com\/Security\/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf"},{"key":"e_1_3_2_2_36_1","unstructured":"NVD. 2017. Apache Struts RCE vulnerability. https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2017-9805"},{"key":"e_1_3_2_2_37_1","unstructured":"NVD. 2023. CVE-2020-2555. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-2555"},{"key":"e_1_3_2_2_38_1","unstructured":"Oracle. 2021. Interface Serializable. https:\/\/docs.oracle.com\/javase\/7\/docs\/api\/java\/io\/Serializable.html"},{"key":"e_1_3_2_2_39_1","unstructured":"Oracle. 2022. Java Deserialization using readObject. https:\/\/docs.oracle.com\/javase\/7\/docs\/api\/java\/io\/ObjectInputStream.html#readObject()"},{"key":"e_1_3_2_2_40_1","unstructured":"Oracle. 2022. Java Serialization using writeObject. https:\/\/docs.oracle.com\/javase\/7\/docs\/api\/java\/io\/ObjectOutputStream.html#writeObject()"},{"key":"e_1_3_2_2_41_1","unstructured":"Oracle. 2022. Object class in Java. https:\/\/docs.oracle.com\/javase\/8\/docs\/api\/java\/lang\/Object.html"},{"key":"e_1_3_2_2_42_1","unstructured":"Oracle. 2023. classpath in Java. https:\/\/docs.oracle.com\/javase\/tutorial\/essential\/environment\/paths.html"},{"key":"e_1_3_2_2_43_1","unstructured":"Oracle. 2023. Coherence library. https:\/\/www.oracle.com\/java\/coherence\/"},{"key":"e_1_3_2_2_44_1","unstructured":"Soot Oss. 2022. Soot. https:\/\/github.com\/soot-oss\/soot"},{"key":"e_1_3_2_2_45_1","volume-title":"Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion. 815\u2013816.","author":"Pacheco Carlos","unstructured":"Carlos Pacheco and Michael D Ernst. 2007. Randoop: feedback-directed random testing for Java. In Companion to the 22nd ACM SIGPLAN conference on Object-oriented programming systems and applications companion. 815\u2013816."},{"key":"e_1_3_2_2_46_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Park Sunnyeo","year":"2022","unstructured":"Sunnyeo Park, Daejun Kim, Suman Jana, and Sooel Son. 2022. $FUGIO$: Automatic Exploit Generation for $PHP$ Object Injection Vulnerabilities. In 31st USENIX Security Symposium (USENIX Security 22). 197\u2013214."},{"key":"e_1_3_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3324884.3418931"},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/1315245.1315313"},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24550"},{"key":"e_1_3_2_2_50_1","unstructured":"TIOBE. 2022. Popular programming languages for development. https:\/\/www.tiobe.com\/tiobe-index\/"},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-78372-3_13"},{"key":"e_1_3_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/1925805.1925818"}],"event":{"name":"ESEC\/FSE '23: 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","location":"San Francisco CA USA","acronym":"ESEC\/FSE '23","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3616313","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3611643.3616313","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:04Z","timestamp":1750178164000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3616313"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,30]]},"references-count":52,"alternative-id":["10.1145\/3611643.3616313","10.1145\/3611643"],"URL":"https:\/\/doi.org\/10.1145\/3611643.3616313","relation":{},"subject":[],"published":{"date-parts":[[2023,11,30]]},"assertion":[{"value":"2023-11-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}